Professional Documents
Culture Documents
998 20186845 - Gma Us PDF
998 20186845 - Gma Us PDF
998 20186845 - Gma Us PDF
by Daniel DesRuisseaux
Director, Industry Cybersecurity Program
Schneider Electric
Executive Summary
The demands of modern IIoT applications
increases the complexity of systems infra-
structure and puts additional pressure on
IT and OT security. As the frequency and
sophistication of cyber-attacks increase,
operations must leverage industry stand-ards
to achieve consistent protection.
This paper will address how IEC62443 can
be applied to industrial control systems and
help readers understand the various priorities
and steps required to help miti-gate cyber
threats.
Schneider Electric White Paper 2
Table of Introduction...................................................................................................................... 3
Contents EcoStruxure..................................................................................................................... 3
Cybersecurity Concepts.................................................................................................. 4
Defense in Depth................................................................................................ 4
Compensating Controls...................................................................................... 5
Format Overview................................................................................................. 6
Conclusion......................................................................................................................13
Introduction Industrial Control Systems (ICS) have experienced an exponential increase in cyberattacks
over the last decade. The industry has responded to cybersecurity threats by creating
standards to assist end users and equipment vendors through the process of securing
industrial control systems. There are a number of key standards available in the market
today. IEC 62443 has been developed by both the ISA99 and IEC committees to improve
the safety, availability, integrity, and confidentiality of components or systems used in
industrial automation and control. The IEC 62443 series of standards can be utilized
across industrial control segments, and has been approved by many countries. IEC 62443
is evolving to become a key standard in the industry, and Schneider Electric is building its
cybersecurity strategy around the standard.
Figure 1
EcoStruxure
Architecture Building Data Center Industry Infrastructure
Cloud and / or on Premise
Edge Control
Connected Products
Cybersecurity In this section, concepts will be introduced that are necessary for understanding
recommendations presented later in the paper.
Concepts
Security Assurance Levels
The IEC 62443 standard includes the concept of security assurance levels. The
specification defines a series of requirements designed to bring system security to one
of the four defined levels. A summary of each level coupled with a characterization of the
type of attacker the security level is designed to address is presented in the table below.
End users interested in providing a solution that is designed to address attacks from
generic hackers or cybercriminals for example should implement a system with features
specified in security assurance level 2. Note that the characterizations provided in
the table are generic classifications to provide high level guidance to customers –
implementing SL2 featured does not guarantee that a system can stop an attack from
all hackers or cybercriminals.
Defense in Depth
Defense in depth is the coordinated use of security countermeasures to protect the
integrity of information assets in a network. Proper implementation of a defense in
depth strategy involves the implementation of six steps. A brief summary of each step is
provided below.
●● Create a Security Plan – The most important step in the overall defense in depth
process involves creating a security plan. In the security plan, personnel create a
detailed audit of all of the equipment connected to the industrial control network,
map how the equipment is connected, review the security configuration of
equipment, and assess potential system vulnerabilities. The security plan includes
the impacts of products, architectures, people, and corporate processes. A
completed security plan is required before any additional steps can be taken to
improve system security. Otherwise, the personnel may think a system is secure
without being cognizant of potential attack vectors.
●● Separate Networks – Once a detailed network map is created in the security plan,
networks can be separated by a major function. An example would be dividing a
network into an enterprise, plant, process, and field zones. All conduits between
the zones should be identified.
●● Perimeter Protection – In this step, conduits between zones are properly protected.
An important part in this step includes securing remote access.
●● Network Segmentation – In this step, zones created in step two can be divided into
smaller zones based on location or function. The perimeters of these segmented
zones are protected. It is important to note that the security level assigned to each
zone can vary. For example, the security level tied to equipment in a monitoring role
can be set to Level 1, while the security level ascribed to a safety system can be
set to Level 3. The level of each segmented zone does not have to be same as its
neighbors.
●● Monitor and Update – Actively monitoring the network activity to detect potential
threats, and patch products as new software/firmware is made available to address
vulnerabilities or to add security features.
Compensating Controls
Another important concept is compensating controls. If a product does not have
the required security functionality, the system can still meet the requirements if the
required functionality is provided by a different component in the system. For example,
let’s assume that a system uses an older PLC. The PLC lacks some of the required
security features, but placing a firewall in front of the PLC provides the needed
functionality to protect the PLC. The addition of the firewall will allow the system to
pass the certification requirement.
Format Overview
A sample network will be used to help illustrate the changes required to improve security
at each of the target security levels. The sample network is presented below.
Router
Vijeo Citect
and OFS ConneXium
Vijeo Citect Web Unity Pro, Network Manager
(SCADA Administration
Clients (Operations) (Network Mgmt)
and OPC) Workstation
Other Servers
RTU
Safety
PAC Hot-Standby
PAC HMI/PC
Controller
Controller Controller
Remote IO
Remote IO
Distributed IO
HMI
Drive
Motor
Starter Energy
Monitoring
ICS components are deployed throughout the network, including controllers, safety
systems, drives, and HMIs. The sample network is a generic industrial control system that
could be used in a variety of industrial segments.
This paper will examine cybersecurity requirements for Ethernet based networks. Elements
connected using serial based interfaces are not considered in the scope of the document.
In the remainder of this paper, the sample network referenced above will be modified
to illustrate changes that will allow it to meet the requirements specified in each of the
IEC 62443 security levels. The paper will focus on the first three security levels, as these
will encompass the bulk of industrial applications. We will focus on system requirements
as specified in the IEC 62443-3-3 system standard. Each of the security levels will be
presented and coupled with a description of changes. The paper assumes that when
the security level is increased, it will be increased for the entire network (specific network
segments will not be set at different security levels) to simplify presentation.
The suggested changes will be the minimum required to enable the system to meet the
target level. For example, a simple firewall can be used to segment networks in security
level 1. A more advanced deep packet inspection firewall or a unidirectional gateway
would provide greater security than a simple firewall, but additional security capabilities
are not specified at this level – they may be specified at advanced levels. Customers can
always use techniques specified in advanced levels to improve security in their systems.
The paper will also focus on products and architectures. Other aspects that can be
defined in a security plan (personnel training, corporate security policies, etc.) will not
be discussed.
Mobile Device
Management
Router
DMZ Patch
Vijeo Historian, Ampla
Management
(Historian and MES)
Server
Control
(Plant/Process)
Vijeo Citect
and OFS Vijeo Citect Unity Pro, ConneXium
(SCADA Web Clients Administration Network Manager
and OPC) (Operations) Workstation (Network Mgmt) EPO
Other Servers Server
RTU
Field Device
PAC PAC
Safety Hot-Standby
Controller Controller
Magelis
HMI/PC
Remote IO Remote IO
Distributed IO
Remote IO
HMI
Drive Motor
Energy
Motor Monitoring
Starter
In this example, the control zone from the sample network has been broken into seven
smaller zones highlighted in grey. New elements are highlighted in green. The zones are:
●● Demilitarized Zone (DMZ) – A subnetwork that contains and exposes the external
facing services of the control zone to the enterprise network. Servers in the
enterprise zone should never be directly connected to elements within the control
zone. Yet business systems need access to control zone data, and elements in the
control zone need access to files originating from untrusted networks (firmware
updates for example). The DMZ contains systems that need to access both the
control and enterprise equipment.
●● Plant/Process Zone – Zone hosting products and applications enabling plant and
process management.
●● Controller Zones – In this example the field device area has been broken into
three zones. Two are standard control zones, and one is a safety controller zone.
Zone segmentation is a product of the security plan and will vary based on the
application - this is simply an example.
Industrial grade firewalls (highlighted in green) have been added to segment the network.
In addition, an EPO server and Mobile Device Management server have been added
along with application whitelisting software for servers hosting ICS software.
Security Level 2 The security assurance level 2 specification includes requirements specified in security
level 1, and adds the following requirements. Note that IEC 62443-3-3 specifies 23
individual requirements, we have simplified the list into 11 major requirements. Parties
interested in details should refer to the IEC standards.
Some of the specifications require products to be added to the network. A unified account
management appliance, Certificate Authority, Back-up Server, Event Server, and Network
Intrusion Detection System have been added to the network and highlighted in green
below. In addition, the control network has been segmented into two separate networks.
Note that the potential ICS device replaced to support new features required in SL2
(having to upgrade to a new PLC that supports secure protocols for example) are not
captured in the diagram.
Mobile Device
Management
Router
NID Node
Control
Vijeo Citect
(Plant/Process) and OFS ConneXium
Unity Pro,
Vijeo Citect Web Network Manager
(SCADA Administration
Clients EPO
and OPC) Workstation (Network Mgmt)
Other Servers (Operations) Server
Backup
Server
RTU
Certificate
Authority
Field Device
NID Node
NID Node PAC Unified Account
Safety Hot -Standby
Controller
Safety PAC Controller
Hot-Standby
Management
Controller Appliance
Controller Magelis
HMI/PC
Syslog
Remote IO Server
Remote IO
Network
Intrusion
Distributed IO Detection
Remote IO System
HMI
Drive Motor
Energy
Motor Monitoring
Starter
Security Level 3 The security assurance level 3 specification includes requirements specified in security
level 2, and adds the following requirements. Note that IEC 62443-3-3 specifies 30
individual requirements, we have simplified the list into 12 major requirements. Parties
interested in details should refer to the IEC standards.
Some of the specifications require products to be added to the network. For example, the
event server that was added at security level 2 will have to be updated to a SIEM server to
accommodate security level 3 requirements. In addition, a GPS time source and a wireless
threat device have to be added.
NID Node
Control
(Plant/Process) Vijeo Citect
and OFS ConneXium Vijeo Citect Web Unity Pro, GPS
(SCADA Network Manager Clients Administration Timesource EPO
and OPC) (Network Mgmt) (Operations) Workstation Server
Other Servers
Wireless
Backup
Threat
Server
Detection
Certificate
RTU Authority
Unified Account
Field Device Management
PAC Hot-Standby PAC Appliance
Safety
Controller Controller
Magelis SIEM
HMI/PC Server
Remote IO Remote IO
Network
Intrusion
Detection
System
Distributed IO
Remote IO
HMI
Drive Motor
Energy
Motor Monitoring
Starter
Product The IEC 62443 standard defines requirements for product and system security levels.
These requirements provide value to both end users and equipment vendors.
and System ●● End Users – End users traditionally evaluate vendor products based on criteria
Certification including feature content, price, and delivery terms. Specifying features can be
a complex process. IEC 62443 simplifies the process of defining cybersecurity
requirements by allowing end users to specify a target security level vs. defining
a cumbersome list of individual features. End users will know the exact features
available in equipment based on its compliance with the IEC 62443 standards.
Vendors can pursue both certification for end devices (as specified in IEC 62443-4-2)
or systems (as specified in IEC 62443-3-3). In both cases, compliance to standards
should be validated by an independent third party. End users should adopt cybersecurity
certifications to their equipment purchasing requirements.
Conclusion The IEC 62443 specification provides essential guidance to end users who seek to secure
industrial solutions. The security assurance level framework helps to group cybersecurity
requirements to aide implementation. Increasing system security can result in the need to
upgrade older ICS equipment, and to purchase new cybersecurity appliances. Required
expenditures and implementation complexity will increase with targeted security level.
A detailed security plan is essential before initiating any work to secure an industrial
solution. Secure products and architectures are only part of the solution - personnel
training coupled with sound corporate security policies are essential to secure industrial
control systems.
Contact Us
For more information, please visit our website at:
https://www.schneider-electric.com/en/work/solutions/cybersecurity/